Retailers Lack Proper Security Control and Visibility, Report Finds

Bay Dynamics sheds light on some critical gaps between the perceptions and realities of retail security.

According to a new report sponsored by Bay Dynamics, there are some critical areas of security where retailers are lacking. Ryan Stolte, co-founder and chief technology officer at Bay Dynamics, noted that there were a couple of unexpected findings and contradictions in the report.
According to the report, which was conducted by Osterman Research and surveyed IT decision makers at 125 retail organizations, 62 percent of respondents indicated that they know everything their permanent employees are doing on their corporate systems, while 50 percent claimed to know what temporary employees are doing.
"Yet they also said a significant percentage of employees—21 percent of permanent retail floor workers and 61 percent of temporary floor workers—use shared accounts," Stolte told eWEEK. "If they are using shared accounts, IT and security teams do not have visibility into what those employees are doing on their corporate systems—a complete contradiction in their response."
Stolte added that 37 percent of respondents also said they cannot identify which systems their temporary employees have accessed, which also demonstrates a lack of visibility into what those employees are doing on their network.

The other surprising finding in the study, according to Stolte, was that in spite of the lack of visibility, the majority of retailers still thought they were doing a good job protecting their information. On a scale of 1 to 7, with 7 being the most proactive, the majority of retailers (80 percent or higher) gave themselves a 6 or greater when it came to identifying critical assets that must be protected, detecting theft or data leakage, and controlling employee access to critical assets.

"Those findings combined with being unable to identify which systems their workers have accessed and the lack of training in topics like phishing and social engineering is a toxic mix that can lead to data walking out the door without a trace," Stolte said.
When it comes to retail security, a hot topic for the past two years has been point-of-sale (PoS) malware, which has been tied to thousands of retail breaches. PoS malware risks were not specifically addressed in the Bay Dynamics-sponsored report, though there is a connection that can be made with the report's findings.
"In a culture that has pervasive credential sharing and access to sensitive data, there are probably many shared service accounts that are not locked down or logged regarding how they are used," Stolte said. "Once service accounts are compromised, it gives the attacker free rein to access and compromise critical assets like PoS systems."
Retailers also are typically required to be compliant with the Payment Card Industry Data Security Standard (PCI-DSS) 3.1, which includes multiple visibility and logging requirements. According to Stolte, based on the data in the report, many retailers would not pass PCI-DSS 3.1.
"However, very often audits are viewed as checklists, confirming that certain systems or controls exist, but do not confirm their effectiveness," he said. "The checklist method results in a state of being compliant, not secure, because the focus is on passing the audit per the letter of the code, not on the spirit of the standard to actually secure the environment."
As to why many retail organizations don't seem to have proper access control and visibility in place, Stolte suspects that the root of the problem is prioritization. In his view, retail organizations have a particularly strong culture of striving to provide the best customer service above all else. Their focus is on acquiring and servicing customers with as little friction as possible.
"As such, additional processes and controls that may delay signing up a customer or conducting a transaction are viewed as obstacles and not a necessary cost of doing business," he said.
The Target breach in late 2013 and the spate of retail breach disclosures that followed in 2014 helped in part to raise awareness about the issue of retail security. Yet despite that fact, there is still a gap in retail security in 2015.
"There is still a disconnect between how business is conducted and the need to secure information," Stolte said. "IT and security teams are telling executives that they are handling both, but they fail to report the true security posture so investments in corrective actions are not always being made with complete information."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.